If you’re an existing US Department of Defense (DoD) contractor, then you’ve probably achieved Defense Federal Acquisition Regulation Supplement (DFARS) compliance by now. But did you know that CMMC 2.0 requirements don't replace DFARS regulations? If you're a contractor who deals with CUI, then you must ensure that you comply with the minimum security requirements of DFARS.
Background: DFARS vs. CMMC
To protect all controlled unclassified information (CUI) that the DoD handles, the department required all of its contractors to meet certain cybersecurity requirements — known as DFARS compliance — which went into effect on December 31, 2017.
Further reading: Understanding DFARS Compliance: Overview & Requirements
Soon after, the DoD began to struggle with low rates of DFARS compliance. To address this issue, the department introduced CMMC 1.0 and its five levels as a way to categorize its contractors. Those in Levels 1 and 2 need not meet all the requirements of DFARS. But those who have already achieved DFARS compliance could easily have obtained CMMC [1.0] Level 3 by adopting several more cyber hygiene practices when they undergo certification.
Difference Between DFARS and CMMC
DFARS and CMMC are similar in many ways because the latter draws heavily from the former, but there are some key differences between them.
What is CMMC 2.0
Unlike DFARS, CMMC 2.0 has three levels of maturity based on the complexity of cybersecurity practices and processes, with each level characterized by its focus.
By categorizing its contractors into different levels, the DoD can ensure that contractors for each project have the appropriate cybersecurity practices and processes in place to protect FCI and CUI.
Technical Basis
To be DFARS-compliant, a DoD contractor must meet all 14 security requirements stipulated in the National Institute of Standards and Technology Special Publication (NIST SP) 800-171. As you can see in the chart below, if you are DFARS compliant, you are aligned with CMMC 2.0 Level 2 certification.
Compliance Assessor
While self-assessment is enough (although not recommended) to achieve DFARS compliance and CMMC 2.0 level one, CMMC 2.0 requires an external assessor for CMMC 2.0 levels two and three. This external assessor must have received their training and license from the CMMC Accreditation Body.
Next Step for DoD Contractors
If you’ve achieved DFARS compliance through a self-assessment, we recommend completing a third-party assessment to obtain CMMC 2.0 Level 2 compliance. That said, if you need CMMC 2.0 Level 2 compliance, then of course, your next steps will look a little different.
Charles IT can help you achieve both DFARS and CMMC 2.0 compliance with our two-step process:
- Complete a Gap Assessment to determine where your cybersecurity gaps exits.
- Review the results with a Charles IT expert who will not only ensure you understand what you're looking at but also provide you with our recommendations for how to fill those gaps.
Start your journey to compliance by finding out your security gaps today!
Editor's Note: This post was originally published in July 2020 and has been updated for accuracy and comprehensiveness.